AZ-104 Microsoft Azure Exam 2026| Actual
Exam Questions and Correct Answers
Question 1
You have an Azure subscription that contains 10 virtual networks. The virtual networks are
hosted in separate resource groups. Another administrator plans to create several network
security groups (NSGs) in the subscription. You need to ensure that when an NSG is created, it
automatically blocks TCP port 8080 between the virtual networks.
Solution: From the Resource providers blade, you unregister the Microsoft.ClassicNetwork
provider.
Does this meet the goal?
A. Yes
B. No
Correct Answer: B. No
Explanation: Unregistering the Microsoft.ClassicNetwork provider only affects classic (ASM)
deployments. It has no impact on Azure Resource Manager (ARM) NSGs or enforcing custom
rules on new NSGs. A custom Azure Policy is required for this automation.
Question 2
You have a Microsoft 365 tenant and an Azure Active Directory (Azure AD) tenant named
contoso.com. You plan to grant three users named User1, User2, and User3 access to a temporary
Microsoft SharePoint document library named Library1. You need to create groups for the users.
The solution must ensure that the groups are deleted automatically after 180 days. Which two
groups should you create? Each correct answer presents a complete solution.
A. An Office 365 group that uses the Assigned membership type.
B. An Office 365 group that uses the Dynamic User membership type.
C. A Security group that uses the Assigned membership type.
D. A Security group that uses the Dynamic User membership type.
,Correct Answers: A and B (Note: The provided text indicates "An office 365 group that uses the
Assigned membership type" and "An office 365 group that uses the Dynamic User membership
type" as the intended options.)
Correct Answer: Office 365 groups (now Microsoft 365 groups) support expiration policies that
automatically delete the group after a set number of days (e.g., 180 days). Both Assigned and
Dynamic User membership types are supported for expiration.
Question 3
You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains the
users shown in the table below.
User3 is the owner of Group1. Group2 is a member of Group1.
You configure an access review named Review1.
Statements:
User3 can perform an access review of User1: Yes
User3 can perform an access review of UserA: Yes
User3 can perform an access review of UserB: Yes
Correct Answers: Yes, Yes, Yes
Explanation: As the owner of Group1, User3 can review direct members of Group1 (User1 and
User2). Because Group2 is a member of Group1, User3 can also review the members of Group2
(UserA and UserB) during the access review of Group1.
Question 4
You have an on-premises server that contains a folder named D:\Folder1. You need to copy the
contents of D:\Folder1 to the public container in an Azure Storage account named contosodata.
Which command should you run?
A. azcopy copy D:\folder1 https://contosodata.blob.core.windows.net/public --recursive
Correct Answer: A
,Explanation: The azcopy copy command with the --recursive flag correctly copies the entire
directory contents to the specified blob container.
Question 5 (Drag and Drop)
You have an Azure subscription named Subscription1. You create an Azure Storage account
named contosostorage, and then you create a file share named data. Which UNC path should you
include in a script that references files from the data file share?
Correct UNC Path: \\contosostorage.file.core.windows.net\data
Explanation: Azure File Share UNC path format is
\\<storageaccount>.file.core.windows.net\<filesharename>.
Question 6 (Hotspot)
You have the Azure management groups shown in the table. You add Azure subscriptions as
shown.
A policy is applied at ManagementGroup11 with "Not allowed resource types: VirtualNetworks"
and at ManagementGroup12 with "Allowed resource types: VirtualNetworks".
Statements:
You can create a virtual network in Subscription1: No
You can create a virtual machine in Subscription2: Yes
You can add Subscription1 to ManagementGroup11: Yes
Correct Answers: No, Yes, Yes
Explanation: Subscription1 inherits the deny policy from ManagementGroup11 → cannot create
VNets. Subscription2 inherits the allow policy from ManagementGroup12 → can create VMs.
Subscriptions can be moved between management groups if permissions allow.
Question 7 (Hotspot)
, You have an Azure subscription named Subscription1 that contains VM1 with a web server and
DNS server. The effective NSG rules are shown (Rule2 allows ports 50-60, Rule1 allows 50-500,
Default Allow RDP, etc.).
Statements:
Internet Users [answer] – Can connect to only the web server on VM1.
If you delete Rule2, Internet users [answer] – can connect to the web server and the DNS server
on VM1.
Correct Answer Explanation: Assuming standard web (port 80/443) and DNS (port 53) traffic:
With current rules, internet can reach the web server only (if Rule1/Rule2 allow web ports).
Deleting Rule2 may open additional ports (including DNS) depending on exact ranges.
(Note: Exact port mapping depends on the missing exhibit, but the logic follows effective
security rule evaluation.)
Question 8
You have an Azure web app named App1 with production and staging slots. After swapping
slots, App1 experiences performance issues. You need to revert to the previous version as quickly
as possible.
What should you do?
Correct Answer: Swap the slots (again)
Explanation: Swapping the slots back immediately reverts the application to the previous version
without data loss.
Question 9 (Hotspot)
You have VMs in different subnets and a route table RT1 applied to Subnet1 and Subnet2 that
routes traffic for 10.0.1.0/24 and 10.0.2.0/24 to VM3 (virtual appliance with IP forwarding
enabled).
Exam Questions and Correct Answers
Question 1
You have an Azure subscription that contains 10 virtual networks. The virtual networks are
hosted in separate resource groups. Another administrator plans to create several network
security groups (NSGs) in the subscription. You need to ensure that when an NSG is created, it
automatically blocks TCP port 8080 between the virtual networks.
Solution: From the Resource providers blade, you unregister the Microsoft.ClassicNetwork
provider.
Does this meet the goal?
A. Yes
B. No
Correct Answer: B. No
Explanation: Unregistering the Microsoft.ClassicNetwork provider only affects classic (ASM)
deployments. It has no impact on Azure Resource Manager (ARM) NSGs or enforcing custom
rules on new NSGs. A custom Azure Policy is required for this automation.
Question 2
You have a Microsoft 365 tenant and an Azure Active Directory (Azure AD) tenant named
contoso.com. You plan to grant three users named User1, User2, and User3 access to a temporary
Microsoft SharePoint document library named Library1. You need to create groups for the users.
The solution must ensure that the groups are deleted automatically after 180 days. Which two
groups should you create? Each correct answer presents a complete solution.
A. An Office 365 group that uses the Assigned membership type.
B. An Office 365 group that uses the Dynamic User membership type.
C. A Security group that uses the Assigned membership type.
D. A Security group that uses the Dynamic User membership type.
,Correct Answers: A and B (Note: The provided text indicates "An office 365 group that uses the
Assigned membership type" and "An office 365 group that uses the Dynamic User membership
type" as the intended options.)
Correct Answer: Office 365 groups (now Microsoft 365 groups) support expiration policies that
automatically delete the group after a set number of days (e.g., 180 days). Both Assigned and
Dynamic User membership types are supported for expiration.
Question 3
You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains the
users shown in the table below.
User3 is the owner of Group1. Group2 is a member of Group1.
You configure an access review named Review1.
Statements:
User3 can perform an access review of User1: Yes
User3 can perform an access review of UserA: Yes
User3 can perform an access review of UserB: Yes
Correct Answers: Yes, Yes, Yes
Explanation: As the owner of Group1, User3 can review direct members of Group1 (User1 and
User2). Because Group2 is a member of Group1, User3 can also review the members of Group2
(UserA and UserB) during the access review of Group1.
Question 4
You have an on-premises server that contains a folder named D:\Folder1. You need to copy the
contents of D:\Folder1 to the public container in an Azure Storage account named contosodata.
Which command should you run?
A. azcopy copy D:\folder1 https://contosodata.blob.core.windows.net/public --recursive
Correct Answer: A
,Explanation: The azcopy copy command with the --recursive flag correctly copies the entire
directory contents to the specified blob container.
Question 5 (Drag and Drop)
You have an Azure subscription named Subscription1. You create an Azure Storage account
named contosostorage, and then you create a file share named data. Which UNC path should you
include in a script that references files from the data file share?
Correct UNC Path: \\contosostorage.file.core.windows.net\data
Explanation: Azure File Share UNC path format is
\\<storageaccount>.file.core.windows.net\<filesharename>.
Question 6 (Hotspot)
You have the Azure management groups shown in the table. You add Azure subscriptions as
shown.
A policy is applied at ManagementGroup11 with "Not allowed resource types: VirtualNetworks"
and at ManagementGroup12 with "Allowed resource types: VirtualNetworks".
Statements:
You can create a virtual network in Subscription1: No
You can create a virtual machine in Subscription2: Yes
You can add Subscription1 to ManagementGroup11: Yes
Correct Answers: No, Yes, Yes
Explanation: Subscription1 inherits the deny policy from ManagementGroup11 → cannot create
VNets. Subscription2 inherits the allow policy from ManagementGroup12 → can create VMs.
Subscriptions can be moved between management groups if permissions allow.
Question 7 (Hotspot)
, You have an Azure subscription named Subscription1 that contains VM1 with a web server and
DNS server. The effective NSG rules are shown (Rule2 allows ports 50-60, Rule1 allows 50-500,
Default Allow RDP, etc.).
Statements:
Internet Users [answer] – Can connect to only the web server on VM1.
If you delete Rule2, Internet users [answer] – can connect to the web server and the DNS server
on VM1.
Correct Answer Explanation: Assuming standard web (port 80/443) and DNS (port 53) traffic:
With current rules, internet can reach the web server only (if Rule1/Rule2 allow web ports).
Deleting Rule2 may open additional ports (including DNS) depending on exact ranges.
(Note: Exact port mapping depends on the missing exhibit, but the logic follows effective
security rule evaluation.)
Question 8
You have an Azure web app named App1 with production and staging slots. After swapping
slots, App1 experiences performance issues. You need to revert to the previous version as quickly
as possible.
What should you do?
Correct Answer: Swap the slots (again)
Explanation: Swapping the slots back immediately reverts the application to the previous version
without data loss.
Question 9 (Hotspot)
You have VMs in different subnets and a route table RT1 applied to Subnet1 and Subnet2 that
routes traffic for 10.0.1.0/24 and 10.0.2.0/24 to VM3 (virtual appliance with IP forwarding
enabled).
